-
Notifications
You must be signed in to change notification settings - Fork 0
Rails 5.2 credentials are not secure
Rails 5.2 introduces Rails.application.credentials which are read from encrypted YAML file. It makes managing API keys, passwords, tokens, etc. easier for apps which don't use separate repo with orchestration and/or servers configuration scripts (ansible, chef, and others). Although this can be very handy, current implementation has a tradeoff between security and ease of use. And I think most teams will lean to the second, because security issues are are not clear.
One issue is that credentials are the same for all environments, and there are already several gems solving it. But the main issue is having single encrypted file for all environments and storing master key in local repo. While encrypted secrets from Rails 5.1 supports multiple environments in single file, they still uses single encrypted store, so they have same issue.
It's expected that team shares master key and every developer has access to production credentials. This is unacceptable for some teams, and if they don't want to share the key, they had to use different workarounds. But when master key is kept in local repo along with credentials.yml.enc it's similar to keeping PIN-code and credit card in the wallet. Credentials are not safe anymore, because encryption key is just near them. It's just to run Rails.application.credentials to get all app's unencrypted production credentials, which can be exploited with malware or malicious gem. Of course, this is quite tricky, but are you sure nobody in your team will ever be compromised?
I think framework should provide solutions which are as much safe by default as possible. secure_credentials gem is going to be more secure drop-in replacement for Application#credentials and encrypted secrets. It solves security issue and allows to store encrypted files in repo by using separate files for different environments. It gives flexibility by allowing any combination of encrypted/plain and single-/multi-environment files for configuration: it's possible to have encrypted secrets.production.yml.enc for production and plain secrets.yml for all other environments.
Please leave comments and feedback in this issue.